[SOLVED] ICMPv6 packets dropped after IPsec decapsulation

ljbrits · 11-13-2018, 05:38 AM

Hi all,

I have Linux as a router that maintain a IPsec tunnel to another Linux router. I am adding IPv6 support, but ran into the following problem:

When I ping from a PC with address 3333:10, the packet goes to the first router and is encapsulated and send to the other router which is suppose to dorward the ping to another PC with address 2222::10. With tcpdump I can see the ESP packets being send and received by the routers. In the second router, the packet however never makes it to the FORWARD chain. Using iptables logging, I can see that the packet was de-encapsulate and then the ping from 3333::10 to 2222::10 is discarded at NAT-PREROUTING. That is, I can see the packet logged in the NAT-MANGLE table, but not in NAT-PREROUTING. A system generated reply ICMP message is being created and send back to the original router and states "ICMP6, destination unreachable, unreachable address 2222::10". The 2222::/64 network is however configured on one of the interfaces and is in the routing table.

So something in the PREROUTING tables decides that it does not like packets from 3333::10. Any suggestions as to who and how to control?

For IPv4 I fix this by setting the "reverse path" (rp_filter) value. It does however seem that Linux 4.9 does not have something like this for IPv6. Can this be the problem, and if so how do I disable reverse path for IPv6?

Regards,
LJB

ljbrits · 11-14-2018, 02:05 AM

Some follow up information:

I've started using TRACE instead of setting up LOG in all the tables. The weird thing is that it shows the packet traversing all the rules correctly. When it comes in it is shows:
[ 5165.938855] TRACE: raw:PREROUTING

olicy:4 IN=black OUT= MAC=<blah> SRC=3333:0000:0000:0000:0000:0000:0000:0010 DST=2222:0000:0000:0000:0000:0000:0000:0010 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=833520 PROTO=ICMPv6 TYPE=128 CODE=0 ID=14420 SEQ=331 MARK=0x1

and when it exits after all the rules:
[ 5166.698701] TRACE: mangle:POSTROUTING

olicy:2 IN= OUT=red SRC=3333:0000:0000:0000:0000:0000:0000:0010 DST=2222:0000:0000:0000:0000:0000:0000:0010 LEN=104 TC=0 HOPLIMIT=62 FLOWLBL=833520 PROTO=ICMPv6 TYPE=128 CODE=0 ID=14420 SEQ=331 MARK=0xf

The tcpdump on the red-interface above however DOES NOT show any IP6 packet exiting!! (99% of the time, did see it pop out once).

Any ideas? IPv4 is working fine, so I now there is no hardware issue.

ljbrits · 11-23-2018, 06:42 AM

I found the problem: Link-local addresses where being deleted